Bug 94618

Summary: IndexedDB: IDBRequest can be destructed during abort
Product: WebKit Reporter: Joshua Bell <jsbell>
Component: WebCore Misc.Assignee: Joshua Bell <jsbell>
Status: RESOLVED FIXED    
Severity: Normal CC: alecflett, dgrogan, tony, webkit.review.bot
Priority: P2    
Version: 523.x (Safari 3)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch none

Joshua Bell
Reported 2012-08-21 11:11:22 PDT
If all script references to an IDBRequest have been dropped, it's possible the only thing keeping a request alive is an en-queued event. If that's the case, then if the request is abort()ed the destructor can run in the middle of the abort() method, and asserts. Abbreviated stack trace: ASSERTION FAILED: m_readyState == DONE || m_readyState == EarlyDeath || !scriptExecutionContext() ../../third_party/WebKit/Source/WebCore/Modules/indexeddb/IDBRequest.cpp(83) : virtual WebCore::IDBRequest::~IDBRequest() 1 WebCore::IDBRequest::~IDBRequest() ... 7 WebCore::EventTarget::deref() ... 13 WebCore::Event::~Event() ... 22 WTF::Vector<WTF::RefPtr<WebCore::Event>, 0ul>::clear() 23 WebCore::IDBRequest::abort() 24 WebCore::IDBTransaction::abort(int&) 25 WebCore::IDBTransaction::stop() 26 non-virtual thunk to WebCore::IDBTransaction::stop() 27 WebCore::ScriptExecutionContext::stopActiveDOMObjects() 28 WebCore::Document::detach() 29 WebCore::Document::prepareForDestruction()
Attachments
Patch (2.19 KB, patch)
2012-08-21 11:36 PDT, Joshua Bell 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Joshua Bell
Comment 1 2012-08-21 11:36:49 PDT
Created attachment 159729 [details] Patch
Alec Flett
Comment 2 2012-08-21 12:01:37 PDT
lgtm
Joshua Bell
Comment 3 2012-08-21 12:09:15 PDT
Link to Chromium test flake report: http://code.google.com/p/chromium/issues/detail?id=143855
Joshua Bell
Comment 4 2012-08-21 12:09:31 PDT
tony@ - r?
Tony Chang
Comment 5 2012-08-21 13:38:03 PDT
Comment on attachment 159729 [details] Patch If there's a way to reliably hit the assert, it would be nice to add a test case for it.
WebKit Review Bot
Comment 6 2012-08-22 15:28:33 PDT
Comment on attachment 159729 [details] Patch Clearing flags on attachment: 159729 Committed r126361: <http://trac.webkit.org/changeset/126361>
WebKit Review Bot
Comment 7 2012-08-22 15:28:36 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.